An Information Governance Approach to Managing ...itm.iit.edu/netsecure11/AnneShultz_OvercomingTheChaos.pdf · Managing Unstructured Data Anne Shultz Illinois Institute of Technology

An Information Governance Approach to

Managing Unstructured Data

Anne ShultzIllinois Institute of Technology

1

What is Unstructured Data?

Data which is not stored in a database

Electronic documents where the contents can take any shape

2

What is Information Governance?

Making decisions about what should be done with information

Promotes the idea that information is an organizational asset

(not just the responsibility of the Information Technology Dept.)

3

Where I’m coming from…

Previously employed at Toyota & GM auto-manufacturing plant

NUMMI (New United Motors Manufacturing Inc.)

Involvement in the development of NUMMI’s Information Governance Program

Came up with organization & security designs for company data

Piloted these designs using

IT Department data

Content/Record Management Systems

4

Inspiration for this project…

I learned a LOT about challenges of organizing & securing data at a large company

A particularly frustrating challenge:

Once we determined how data should be organized and secured,

Technology solutions did not allow for these controls

Technology solutions offered too much unneeded functionality

5

Unfortunately…

NUMMI closed April 1st, 2011

Information Governance Program was never completed

6

Experiences left me wondering…

Instead of starting with the technology and asking:

How can we use this technology to organize and secure our data?

What if we started with the data and asked:

How should our information be organized and secured?

7

The Goal1. Use Information Governance activities to

Understand unstructured data,

Categorize unstructured data.

2. Use information gathered to create strategies for

Organizing unstructured data,

Securing unstructured data.

8

To help tell the story…

Company X

Is beginning an Information Governance Program

Wants to organize and secure unstructured data!

Also, going through a PeopleSoft HR Upgrade

This will provide specific examples for the presentation

4 employees will help tell the story…

9

Meet our Company X employees!Name Responsibility

Harriet Human Resources

•HR Specialist

•PeopleSoft HR Upgrade - Business Lead

Ralph Requisition

•Purchasing Specialist

•PeopleSoft HR Upgrade - handles purchasing for the project

Tammy Technology

•IT Manager

•PeopleSoft HR Upgrade - Project Manager

Carl Computer

•IT Contractor

•PeopleSoft HR Upgrade - Developer10

Information Governance Activities Used:

Information Assessment

Gathering & understanding all information existing in the organization

Records Retention

Categorizing information and determining how long documents in each category should be kept

Information Classification

Identifying which information is sensitive and creating labels and handling rules for each level of sensitivity

11

Gathering & understanding all information existing in the organization.

12

Why Information Assessment? Required to set direction and scope

Necessary for developing an effective information governance program.

You can’t govern something you don’t understand

13

In other words…“There is so much information!

We don’t even know where to start!

How the heck are we supposed to organize and secure it if we don’t even know what we have??”


Carl Computer Tammy Technology Ralph Requisition14

Many different approaches… Technology Approach

Data Classification tools, Profiling tools, Filesharecrawlers

Interview Approach

Interview business owners to determine which information is important

Process Flow Information Discovery

Use process flow diagrams to identify information for each business process

(developed by Marika Taylor @ NUMMI)

15

Many different approaches… Technology Approach

Data Classification tools, Profiling tools, Filesharecrawlers

Interview Approach

Interview business owners to determine which information is important


Use process flow diagrams to identify information for each business process

(developed by Marika Taylor @ NUMMI)

Carl Computer runs a tool

“So, Tammy Technology… what information is important to IT?”

Each key subject matter expert does a process flow chart of their processes to identify documents used

16


1. Identify department business functions

Completed by Department Management

2. Identify supporting business processes

Completed by Department Management

3. Diagram process flows

Completed by Key Subject Matter Experts

17


Example…

IT DepartmentBusiness Functions:

• Business Planning

• Operations Maintenance

• System Development

Tammy Technology:

“These are all the functions of IT!”

18


Example…





Tammy Technology:

“Business Planning is anything related to

the administration or budgeting”

19


Example…





Tammy Technology:

“System Development Is anything related to the development of

systems (like documents created

as part of a system upgrade)”

Carl Computer:

“Like PeopleSoft HR Upgrade documents!”

20


Example…





Tammy Technology:

“Operations Maintenance is

anything related to regular system upkeep & use.”

Carl Computer:

“Awesome!”21


Example…





Operations Maintenance Business Processes:

Incident & problem management processes

System maintenance processes

Service request management processes

System security & compliance management processes

22


Example…





Operations Maintenance Business Processes:

Incident & problem management processes

System maintenance processes

Service request management processes

System security & compliance management processes

Carl Computer:

“Like the annual audit

process!”23

24

How is Information Assessment Applied to Unstructured Data?

Process Flow Information Discovery Chart method is useful for 2 reasons:

Enables understanding of key information, required for business

Department business functions & processes can be used as an organizational structure for unstructured data

25

Categorizing information and determining how long documents in each category should be kept.

26

In other words…

“Ok, now we know what we have…

When is it ok to get rid of it?”



Why Records Retention? Why not keep everything?

Risk of a “smoking gun”

Inefficient – wading through old information is unproductive.

What could happen if information is disposed too soon?

Litigation risk (example: Arthur Anderson Trial)

Impact to ongoing operations

28

Solution:

Develop a Records Retention Schedule

“a document that an organization uses to ensure that records are kept only as long as legally and operationally required, and that obsolete records are disposed of in a systematic and controlled manner.”

(Iron Mountain, n.d.)

29

But wait! …What is a Record?

“a file that gives an evidential account of either a whole incident or part of an incident that occurred in the past.

The record provides the factual information concerning that incident”

(Adam, 2008)

30

Example:

The signed business case is a record of this event

Contains evidence that the company approved this project

Tammy Technology:

“Woohoo! The project spending committee signed

off on the PeopleSoft HR Upgrade business case!”

31

Records Retention Schedule1. Identify “Records” vs. “Working Copies”

2. Develop taxonomy:

Record Function

Record Class

Information Type (and ID #)

3. Determine retention (Event + Time format)

1. Legal Requirements

2. Operational Requirements

4. Determine owning departments

Example: Drafts of a record

that never become final

32

33

Tammy Technology:

“Technical records from the PeopleSoft HR Upgrade would fall into this category.

These are owned by IT and should be kept for the life of the system.”

34

Ralph Requisition:

“The signed charter for the PeopleSoft HR Upgrade would fall into this category since it has to do

with company spending.

These records are owned by Purchasing.”

35

Harriet Human Resources:

“HR owns a lot of records that need to be kept for legal reasons.

For example, OSHA requires us to keep medical records for 30 years after an employee is terminated.”

36

How is Record Retention Applied to Unstructured Data?

Record Retention Schedule is useful for several reasons:

Enables understanding of Records vs. Working Copies

“Information Type,” & “Owning Department” can be used as metadata for unstructured data

Provides rules on when unstructured data must be disposed

Taxonomy can be used as an organization structure for unstructured data Records

37

Identifying which information is sensitive and creating labels and handling rules for each level of sensitivity.

38

Why Information Classification?

Prioritize data security according to risk!

Information classifications define how data should be handled and protected at each risk level

39

Example:

Tammy Technology:

“This shopping list for the PeopleSoft HR Upgrade Party

probably won’t hurt the company.

I don’t need to worry too much about protecting it.”

Carl Computer:

“This list of PeopleSoft HR admin passwords could really hurt the

company if it fell into the wrong hands!

I should make sure I really protect it!”

40

Information Classification Levels

“Public – Information, that if disclosed outside the company, would not harm the organization, its employees, customers, or business partners

Internal Use Only—Information that is not sensitive to disclosure within the organization, but could harm the company if disclosed externally.

Company Confidential—Sensitive information that requires ‘need to know’ before access is given.” (Appleyard, 2007)

41

Use information gathered to create strategies for

• Organizing unstructured data

• Securing unstructured data

42

In other words…“Now we know what we should be doing with our

data…

Now how do we make sure we actually are doing it with unstructured data?”



Unstructured data organization & security strategy

Each step uses products of the Information Governance Activities

44

Step 1 - Determine Information Access Requirements

Should be completed by each department individually

Can be done using Classification Levels with an Access Requirement Matrix

45

Access Requirement Matrix Determining stable access requirements is difficult!

Frequent employee turn-over

Collaboration between departments and organizations

Access Requirement Matrix

used to identify access needs for Information Types

can be completed by asking 2 main questions:

What information needs to be accessed by who?

For how long?

46

Example (IT Department Matrix)

47

011 System Maintenance Documents

System Maintenance Documents are documents required for the regular

upkeep & use of systems (like the PeopleSoft HR system)


48



Example: Notes or procedures for troubleshooting

PeopleSoft HR system issues.

49

Putting this information type here

on the diagram…

means that these people can see it.


50

This includes…


51


There might also be PeopleSoft HR System

Maintenance Documents that people

in HR need to see.


52


Example: Notes or procedures for

how access to the PeopleSoft HR system

should be set up.


53

These would be placed here.


54

This way, these

people can see them.


55

Example (Completed IT Matrix)

56

Classification Levels Overlaid to ensure access aligns with company policy

Example:

57

58

IT Matrix with Classifications Overlaid

59

60

Temporary Access Requirements Example: Temporary project work

Access should be set up by the project manager with a due date

Due dates must be respected!

When the project is done, access must be removed.

61

Example:

Yay!Yay!Yay!

Tammy Technology:

As the project manager, I will make sure you all have access to

the PeopleSoft HR Upgrade folder!

62

Example:

Yay!Yay!

Tammy Technology:

But after the project, access to this folder will be

removed and records will be stored in the correct locations.

Aw, man!

63

Step 2 - Determine Functional Requirements

Outline functional differences between

Working copies

Records

Ensures information is managed appropriately at each stage of the information lifecycle

64

Document

Creation &

Collaboration Retain

Records

Dispose

Working Copies

Dispose

Records

Event + Time…

Information Lifecycle

65

Functional Requirements

Working Copies Records

Must be shared May be shared

Must be modified MUST NOT BE MODIFIED!!!

Must be frequently accessed May be accessed occasionally

Should be stored for easy access as work is being completed

Should be stored for easy disposal when retention is up

Can be disposed when no longer needed

Must not be disposed until Retention period ends!

66

Step 3 - Determine Functional Organization Design

How should data be organized?

Working Copies?

Records?

67

Functional Organization Design

Working CopiesMust be shared

Must be modified


Must be frequently accessed


Could be organized according to Department Business Function





Example:

68

RecordsMay be shared

MUST NOT BE MODIFIED!!!


May be accessed occasionally


Functional Organization DesignCould be organized according to Record Retention Schedule, by Information Type

Example:

69

Step 4 - Determine Functional Access Design

How should access be set up?

For Records?

For Working Copies?

70

Working CopiesMust be shared

Must be modified


Must be frequently accessed


Functional Access Design

Access should be set up using…

Access Requirement Matrix & Classification Levels

Temporary Access Set-up (for projects, etc)

71

Records

May be shared

MUST NOT BE MODIFIED!!!


May be accessed occasionally


Functional Access DesignIn addition to basic Access Requirements:

Must be read-only once they become Records

Only owning department should add records to record folders

Only appointed Subject Matter Expert should dispose records for the owning department

72

Step 5 - Determine Metadata

Should be consistent across all information

Basic metadata

Metadata to describe how the data should be handled (functional)

73

Metadata

BASICFUNCTIONAL

(handler instructions)

Creator Rights

Title Information Classification

File Type Information Type

Date Created Owning Department

Date Modified Is this a Record?

Modified ByHas the Retention Event Occurred?

74

Metadata

BASICFUNCTIONAL


Creator Rights






PROBLEM!

Too much metadata =

Too many steps to save a document!

75

Metadata

BASICFUNCTIONAL


Creator Rights






PROBLEM!

Solution: Automation

76

Opportunities for Automation

Metadata

Proposed Automation Requirements

Assign MethodSystem Data

Used to AssignAction Triggered

Creator Automateddetermined by user's system username

None

Title Manual N/A None

File Type Automateddetermined by application used to create document

None

Date Created Automateddetermined by system time & date information

None

77


Metadata




Date Modified

Automateddetermined by system time & date information

When entered, this should trigger:a. Logging by the system for future retrieval

Modified By Automateddetermined by user's system username

When entered, this should trigger:a. Logging by the system for future retrieval

78


Metadata


Assign Method

System Data Used to Assign

Action Triggered

Rights AutomatedAccess rights assigned to the folder

If not aligned with Classification Levels:

- Error Message

Information Classification Level

Manual - drop down list of Information Classificaitonlevels

N/AIf not aligned with Rights:

- Error Message

79


Metadata


Assign Method


Action Triggered



- Error Message




- Error Message

80

Example:

If Carl Computer tries to save a “Confidential “ document in an “Internal Use Only/Public” folder…


Metadata


Assign Method


Action Triggered



- Error Message




- Error Message

81

Error Message:

Rights for this folder:

- Contractors & above

- All Departments

Classification Levels allowed in this folder:

- Internal Use Only

- Public

Documents with any other classification level must be must be saved in a more secure folder.


Metadata




Information Type

Manual - drop down list of Information Types, based on user’s access

user's access(user profile information)

When Information Type selected, this should trigger:

- assign “Owning Department”(of Information Type)

Owning Department

Automateddetermined by Information Type

None

82

User is a contractor in IT

IT contractors can see these Information Types

(these will be available in the drop-down menu)

Example…

83


Metadata




Information Type

Manual - drop down list of Information Types, based on user’s access

user's access(user profile information)

When Information Type selected, this should trigger:

- assign “Owning Department”(of Information Type)

Owning Department

Automateddetermined by Information Type

None

84

If the IT contractor selects

“009 Business Cases, Vendor Bids, Proposals, Quotes,”

Owning Department populated will be

“Purchasing”

since Purchasing owns this Information Type.

Example…

85

Metadata



Used to Assign

Action Triggered

Record Manual - check box N/A

If {User Department

<does not equal>

Info Type Owning Department}

Then {Error Message}

Else {Send to Electronic Records Vault\Information Type Folder}

Event Occurred

Manual - check box NOTE - Event Occurred should be able to be selected for an entire folder at once

N/A Start retention period


86

Metadata



Used to Assign

Action Triggered


If {User Department

<does not equal>




Event Occurred




Example Error Message:

This document has the following information type:

[009 Business Cases, Vendor Bids, Proposals, Quotes]

This information type is owned by Purchasing.

Only members of the Purchasing Department can upload records with this information type.

87

Metadata



Used to Assign

Action Triggered


If {User Department

<does not equal>




Event Occurred




Else…Send file to the correct folder in the

Electronic Records Vault

88


Metadata



Used to Assign

Action Triggered


If {User Department

<does not equal>




Event Occurred



89

Benefits of using this approach

Unstructured data required for business is identified

Organizational structures are developed

Working Copies: by business function & process

Records: by Record Retention Schedule categories

Security requirements are established.

Metadata are established

Basic & Functional90

Next Step…

Identify and evaluate content management systems that can satisfy these requirements

91

Perspectives…

This is a lot of work! However….

This example was based on a large company implementation

It could be scaled down to fit a small company

The scope would be determined by the Information Assessment

A smaller company would have less information to deal with

92

“Questions?”

